If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

There are lots of things that you can do with fragrouter but we are going to use fragrouter to setup IP forwarding.

We do this with this command :

Code:

fragrouter -B1

Squash that window and put it to one side. Now open another shell and we will start dnsspoof with this command

Code:

dnsspoof -i ath0 (or whatever network interface you are using)

Again put that window to one side and lets load up webmitm. Webmitm will issue our ssl cert to the victim so we can decrypt the traffic we capture.

Start webmitm by typing

Code:

webmitm -d

Now we can start the arp spoof. To start ettercap type

Code:

ettercap -T -M arp:remote /router addy/ /victim addy/

Ok now we are rolling next thing is to sniff the traffic. There are a few things you can do know like using ettercap filters and adding urls from metasploit, (Maybe next tut ) and lots of other things. But we are intrested in the ssl traffic so I use wireshark to save the data into a .cap file.

Quick question.. trying to sniff https traffic on my own network.. it looks like the websites are being sent compressed. I know ettercap can change that with filtering but when it passes through ettercap it is still encrypted with SSL. Is there a better way to do this?

Also, is there an SSL decrypted out there that dumps the traffic back into a pcap capture format? I looked around on google and can't find one.

ssl mitm

I have been working on this for some time now. This morning in finally got ssl mitm working to the point that every site i tested dumped the user credentials. Unfortunately I have been unsuccessful in replicating this attack. Below are the commands I used for my successful attack. I have tried so many different combinations of this attack that I’m starting to get frustrated.

apparently you can use ettercap to sniff and mitm two seperate subnets.
I had a Wireless AP honeypot -> ath0 -> laptop -> eth0 -> internet setup for demo-ing to our employees how unsafe cafes are and to never just click "Accept" (though i doubt it did any good...) and i would always enable the forwarding AFTER starting ettercap:

Don't allow the Kernel to forward with ettercap.

Do not enabling packet forwarding via the kernal, i.e. /proc/sys/net/ipv4/ip_forward. Ettercap does this for you if you enable it in the kernel you will flood the network with duplicate packets. If you want to use the kernel than disable packet forwarding in ettercap. If you run both you'll cause havoc with duplicate, unnecessary packets.

Originally Posted by ranlr

apparently you can use ettercap to sniff and mitm two seperate subnets.
I had a Wireless AP honeypot -> ath0 -> laptop -> eth0 -> internet setup for demo-ing to our employees how unsafe cafes are and to never just click "Accept" (though i doubt it did any good...) and i would always enable the forwarding AFTER starting ettercap:

When used on a gateway, you have no choice.
from man ettercap:
"The kernel ip_forwarding is always disabled by ettercap. This is done to prevent to forward a packet twice (one by ettercap and one by the kernel). This is an invasive behaviour on gateways. So we recommend you to use ettercap on the gateways ONLY with the UNOFFENSIVE MODE ENABLED. Since ettercap listens only on one network interface, launching it on the gateway in offensive mode will not allow packets to be rerouted back from the second interface. "

So if used on two separate subnets (see my previous post), ie gateway, and you need it to be offensive, then you need the kernel to forward, am i wrong?

Originally Posted by ipndrmath

Do not enabling packet forwarding via the kernal, i.e. /proc/sys/net/ipv4/ip_forward. Ettercap does this for you if you enable it in the kernel you will flood the network with duplicate packets. If you want to use the kernel than disable packet forwarding in ettercap. If you run both you'll cause havoc with duplicate, unnecessary packets.